chore: security upgrades, Node 22, .nvmrc, and llms.txt

[operfildoluiz]

Description

• Upgraded all production and dev dependencies to their latest major versions
• Resolved all yarn audit vulnerabilities (219 → 0) via direct upgrades and resolutions overrides for transitive deps
• Bumped Node.js requirement from 16 to 22 LTS across engines, Dockerfile, and new .nvmrc
• Added public/llms.txt for AI/LLM discoverability
• Migrated husky v3 → v9 hook format

Motivation or Context

yarn audit reported 219 vulnerabilities (10 critical, 88 high, 100 moderate, 21 low) in the previous dependency tree. Several were in directly-declared production packages:

• mongoose ^5 — critical + high severity CVEs
• jsonwebtoken ^8 — critical + high severity CVEs
• axios ^0.28 — critical (SSRF) + high severity CVEs
• @sendgrid/mail ^6 — critical via form-data unsafe random boundary
• express ^4.18 — high via path-to-regexp ReDoS

How Has This Been Tested?

The full test suite (yarn test) passes after the changes. Testing was run against Node 22.19.0 (now pinned in .nvmrc).

Breaking changes from major version bumps were addressed:

• Mongoose v5 → v6: removed deprecated connection options (useCreateIndex, useNewUrlParser, useUnifiedTopology) that throw in v6, in both app.js and __test__/initDatabase.js; added mongoose.set('strictQuery', false)
• husky v3 → v9: replaced "husky": { "hooks": ... } in package.json with .husky/pre-commit file and prepare script
• eslint v6 → v8: replaced removed eslint-plugin-node with its successor eslint-plugin-n; updated eslint-config-standard to v17

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly. (public/llms.txt added)